Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
CGI Programming: Part 2 Robert M. Dondero, Ph.D. Princeton University 1 Objectives You will learn about: Stateful CGI programming Via URL rewriting, hidden form fields, cookies In Python and Java 2 The Need for State Problem: CGI is a stateless protocol Neither browser nor web server remembers previous interactions CGI program exits; so it can't remember either! 3 Examples of the Need for State Personalization Session management Remember user preferences Manage "shopping cart" In Pennypack application: Want "previous search" field in searchform page Demo of PennypackPython3 4 Example of the Need for State Browser … <form action= "searchresults.cgi" method="get"> … Prev search: (None) Browser … Click here to do another author search User enters "Ker" Web Server searchresults.cgi Web Server <a href="searchform.cgi"> Web Server Browser … <form action= "searchresults.cgi" method="get"> … Prev search: ??? searchform.cgi Web Server Doesn't know previous author 5 State via URL Rewriting Solution 1: URL rewriting Append state data to end of URL 6 State via URL Rewriting Example Browser … <form action= "searchresults.cgi" method="get"> … Prev search: (None) Browser … Click here to do another author search <a href="searchform.cgi? prevAuthor=Ker"> Browser … <form action= "searchresults.cgi" method="get"> … Prev search: Ker User enters "Ker" Web Server searchresults.cgi Web Server Performs URL rewriting Web Server searchform.cgi Web Server Does know previous author 7 State via Hidden Form Fields Solution 2: Hidden form fields Place state data into form "input" tag of type "hidden" Browser does not display 8 State via Form Fields Example Browser … <form action="searchresults.cgi" method="get"> ... … Prev search: (None) User enters "Ker" Web Server searchresults.cgi Browser … Click here to do another author search <form action="searchform.cgi" method="get"> <input type="hidden" name="prevAuthor" value="Ker"> <input type="submit">... Web Server Web Server searchform.cgi Browser … <form action="searchresults.cgi" method="get"> ... … Prev search: Ker Generates hidden form field Web Server Does know previous author 9 State via Cookies Solution 3: Cookies Web server: Places state in a cookie Passes cookie to browser as header And then... 10 State via Cookies Browser: Retains cookie in memory or client file system Until specified cookie expiry date Until human user explicitly deletes it Passes cookie to web server as header But only to same domain (and path) that sent it originally 11 Cookie Attributes Cookie attributes: Name Content Host The domain to which the browser should send the cookie Default is the domain of the page that set the cookie Can specify a subdomain of origin, but not a completely different domain 12 Cookie Attributes Cookie attributes (cont): Path The directory where the cookie is active Default is the directory of page that created cookie Expiry date Default is this browser session 13 State via Cookies Example Browser … <form action="searchresults.cgi" method="get"> ... … Prev search: (None) User enters "Ker" GET searchresults.cgi?author=Ker HTTP/1.1 Host: www.cs.princeton.edu <blank line> Web Server QUERY_STRING: author=Ker searchresults.cgi Set-Cookie: prevAuthor=Ker Content-type: Text/html <blank line> <HTML page> 14 State via Cookies Example Web Server Browser … Click here to do another author search <a href="searchform.cgi"> HTTP/1.1 200 OK Date: date Server: www.cs.princeton.edu Set-Cookie: prevAuthor=Ker … Content-Type: Text/html <Blank line> <HTML page> Browser retains cookie GET searchform.cgi HTTP/1.1 Host: www.cs.princeton.edu Cookie: prevAuthor=Ker <blank line> Web Server HTTP_COOKIE: prevAuthor=Ker 15 State via Cookies Example searchform.cgi Knows previous author via HTTP_COOKIE env var Content-type: Text/html <blank line> <HTML page containing Ker> Web Server HTTP/1.1 200 OK Date: date Server: www.cs.princeton.edu … Content-Type: Text/html <Blank line> <HTML page containing Ker> Browser … <form action="searchresults.cgi" method="get"> …... Prev search: Ker 16 PennypackPython3 Application See PennypackPython3 application book.py (same) database.py (same) common.py (same) index.html (same) 17 PennypackPython3 Application searchform.cgi (same) searchform.py (different) searchresults.cgi (same) searchresults.py (different) Uses prevAuthor cookie passed by browser Asks browser to store prevAuthor cookie Try viewing cookies in Firefox: Tools → Page Info → Security → View Cookies 18 PennypackJava3 Application See PennypackJava3 application Book.java (same) Database.java (same) Common.java (same) index.html (same) 19 PennypackJava3 Application searchform.cgi (same) SearchForm.java (different) Uses prevAuthor cookie passed by browser searchresults.cgi (same) SearchResults.java (different) Asks browser to store prevAuthor cookie Cgi.java (different) See cookie-handling code Primitive: Handles only name and content attributes 20 PennypackJava3 Application Try viewing cookies in Firefox: Tools → Page Info → Security → View Cookies 21 Cookie Issue: Size Problem: Cookie size is limited to 4K Solution Cookie content stored on server-side (in database), indexed by a unique key Cookie contains key only 22 Cookie Issue: Disabled Cookies Problem: User may disable browser cookies Solution: Ask the user to enable them! Or... Add more logic Fall back to URL rewriting or hidden form fields if necessary 23 rd Cookie Issue: 3 Party Cookies Problem: Third-party cookies can invade privacy (See http://www.google.com/doubleclick/) 24 rd Cookie Issue: 3 Party Cookies Browser AdConsultant contracts with Company1 & Company2 Company1.com Page which includes (hidden) image from AdConsultant.com User visited Company1 Browser AdConsultant.com Image Set AdConsultant cookie: User visited Company1 AdConsultant knows that user visited Company1 25 rd Cookie Issue: 3 Party Cookies Company2.com Page which includes (hidden) image from AdConsultant.com User visited Company2 AdConsultant cookie: User visited Company1 Browser AdConsultant.com Image Set AdConsultant cookie: User visited Company2 AdConsultant knows that user visited Company1 and Company2 AdConsultant provides user profile to Company1 & Company2 26 rd Cookie Issue: 3 Party Cookies Solution: Some browsers allow refusal of third-party cookies In Firefox: Edit → Preferences → Privacy → "Firefox will" → "Use custom settings for history" Then uncheck "Accept third-party cookies" 27 Summary We have covered: Stateful CGI programming Via URL rewriting, hidden form fields, cookies In Python and Java 28